Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Gross Niv Analyzing Spammer’s Social Networks for Fun and Profit ChaoYang Robert Harkreader Jialong Zhang Seungwon Shin Guofei Gu Gross Niv Analyzing Spammer’s Social Networks for Fun and Profit A Case Study of Cyber Criminal Ecosystem on Twitter Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Few Pictures of The Authors: Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
A Few General Questions. How many Monthly active users ? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
A Few General Questions. How many Monthly active users ? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
A Few General Questions. How many Monthly active users ? How Many percent are Active Users on mobile ? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
A Few General Questions. How many Monthly active users ? How Many percent are Active Users on mobile ? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
A-Few General Questions. How many Monthly active users ? How Many percent are Active Users on mobile ? How many Employees around the world? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
A Few General Questions. How many Monthly active users ? How Many percent are Active Users on mobile ? How many Employees around the world? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Chapters: INTRODUCTION RESEARCH GOAL AND DATASET INNER SOCIAL RELATIONSHIPS OUTER SOCIAL RELATIONSHIPS INFERRING CRIMINAL ACCOUNTS RELATED WORK LIMITATIONS AND FUTURE WORK CONCLUSION Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Spam Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Malware: Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Question: Anyone knows what's Twitter’s “Follow Limit Policy”? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Question: Anyone knows what's Twitter’s “Follow Limit Policy”? According to this policy, once an account has followed 2,000 users, the number of additional accounts it can follow is limited to its follower number Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Updated Twitter Rules This Days: Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Updated Twitter Rules This Days: Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Command And Control Server which control botnets in order to transfer instruction The server can send commands threw twitter accounts (Base-64 encoded text) Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Criminal accounts Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Ways cyber criminal uses twitter: sending spam phishing scams spreading malware hosting botnet C&C channels launching other underground illicit activities. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
How Twitter Community Help Cyber Criminal Help them spread their illicit content with increasing the visibility of their malicious content. Harder to Detect the criminal account when been followed by legitimate accounts. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Victims Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Twitter Rules(spammer) Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
How would you label URL as a malicious? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Google Safe Browsing The URLs are labeled as malicious by using the widely-used URL blacklist Google Safe Browsing (GSB) and a high-interaction client honeypot, implemented using Capture-HPC. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Research target The research target ,on criminal accounts as defined by Twitter Rules, who mainly post malicious URLs linking to malicious content with an intention to compromise users computers or privacy. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Dataset Twitter Accounts 485,721 Tweets 14,401,157 URLs 5,805,351 malicious affected accounts 10,004 identified as spammer accounts 2,060 Date of tapping into twitter’s streaming April 2010- July 2010 Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Twitter Accounts As Graph following someone1 someone2 someone3 In dataset, the criminal relationship graph consists of 2,060 nodes and 9,868 directed edges Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Criminal Relationship graph: Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Compare with three metrics graph density Reciprocity Average Shortest Path Length Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Different Between legitimate twitter account and criminal accounts The graph density is defined for directed simple graph: Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
The graph density following |E| = ? someone1 someone2 someone3 Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
The graph density following |E| = 6 |V| = ? someone1 someone2 someone3 Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
The graph density following |E| = 6 |V| = 3 = 6 3⋅ 3−1 =1 someone1 = 6 3⋅ 3−1 =1 |V| = 3 Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
The graph density following |E| = 3 |V| = 3 = 3 3⋅ 3−1 = 1 2 someone1 = 3 3⋅ 3−1 = 1 2 |V| = 3 Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
The graph density |E| = 0 |V| = 3 = 0 3⋅ 3−1 =0 someone1 someone2 = 0 3⋅ 3−1 =0 |V| = 3 Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Density Different Between legitimate twitter account and criminal accounts Legitimate Twitter accounts 41.7 million users ,1.47billion edges 𝟖.𝟒𝟓⋅ 𝟏𝟎 −𝟕 Criminal relationship 𝟐.𝟑𝟑⋅ 𝟏𝟎 −𝟑 Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Different Between legitimate twitter account and criminal accounts Reciprocity- is represented by the number of bi-directional links to the number of out links (follow each other) someone1 someone2 Following each other Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Different reciprocity graph Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Average Shortest Path Length Average Shortest Path Length is defined as the average number of steps along the shortest paths for all possible pairs of graph nodes data set with 3,000 accounts Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
following quality “following quality”-which is the average follower number of an account’s all following accounts. In this way, a higher following quality of an account implies that this account tends to follow those accounts with more followers. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Following quality example someone2 4 someone1 someone3 6 FQ= (4+6)/2 =5 Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Following quality In this way, a higher following quality of an account implies that this account tends to follow those accounts with more followers. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Following quality Diffrence Select a paper and notify me by Tuesday, November 8, 2016 Recommended reading: This observation validates that criminal accounts’ actions of indiscriminately following others lead them to connect with low quality accounts, and hence connect with other criminal accounts. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
CONCLUSION Criminal accounts tend to be socially connected, forming a small-world network Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Victims Criminal leaves Criminal hubs Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Victims Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Victims Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Compared to the Bee Community Criminal leaves, like bee workers, mainly focus on collecting pollen. Criminal hubs, like bee queens, mainly focus on supporting bee workers and acquiring pollen from them. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Which kind of supports you inspect there are ? Criminal Supporters They are accounts outside the criminal community, who have close “follow relationships” with criminal accounts Which kind of supports you inspect there are ? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
How many supports there are in the dataset ? Criminal Supporters How many supports there are in the dataset ? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Dataset Twitter Accounts 485,721 Tweets 14,401,157 URLs 5,805,351 malicious affected accounts 10,004 identified as spammer accounts 2,060 Date of tapping into twitter’s streaming April 2010- July 2010 Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Criminal Supporters They got output 5,924 criminal of supporters What kind of supports there are? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Characterizing Criminal Supporters After extracting criminal supporters we observe three representative categories of supporters. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Social Butterflies accounts that have extraordinarily large numbers of followers and followings. These accounts build a lot of social relationships with other accounts without discriminating those accounts’ qualities. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
5,924 criminal of supporters Social Butterflies How many Butterflies supporters you think there is in this dataset? 5,924 criminal of supporters Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Social Butterflies They found 3,818 social butterflies (5,924 total) The hypothesis that the reason why social butterflies tend to have close friendships with criminals is mainly because most of them usually follow back the users who follow them without careful examinations. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Social Butterflies how would you validate this hypothesis ? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Social Butterflies 10 accounts to follow 500 accounts (from the butterfly account). 10 accounts to randomly normal accounts, and 10 accounts following criminal accounts Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
47.8% of those butterflies follow back Social Butterflies After 48 hours: 47.8% of those butterflies follow back 1.8% of those normal accounts follow back 0.6% of those criminal accounts follow back. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Social Promoters those Twitter accounts that have large following-follower ratios larger following numbers and relatively high URL ratios. The owners of these accounts usually use Twitter to promote themselves or their business. How many social promoters there are ? 5,924 criminal of supporters 3,818 social butterflies Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Social Promoters 508 social promoters Promoters may become criminal supporters by unintentionally following criminal accounts. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
those Twitter accounts who post few tweets but have many followers. Dummies those Twitter accounts who post few tweets but have many followers. The hypothesis that the reason why dummies intend to have close friendship with criminals is mainly because most of them are controlled or utilized by cyber criminals Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
1 account has been suspended . Dummies Analyzed 81 dummy accounts several months after the data collection. They find that: 1 account has been suspended . 6 accounts do not exist any more (closed), 36 accounts begin posting malware URLs labeled by GSB 8 accounts begin posting (verified) phishing URLs. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Dummy post This dummy account steals victims’ email addresses through claiming to help people earn money. However, the dummy account sends email spam. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
My own experience with twitter What type of account those are ? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Similar tweet: Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Later on twitter deleted those accounts My own experience with twitter Later on twitter deleted those accounts Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
My own experience with twitter What type of account this? Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
After few days I did not follow back this account unfollowed me My own experience with twitter After few days I did not follow back this account unfollowed me Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Limitations The dataset may contain some bias The number of our analyzed criminal accounts is most likely only a lower bound of the actual number in the dataset. The exact values of some metrics used in the work may vary a little bit when using different sample datasets. Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
CONCLUSION This Article present an analysis of the cyber criminal ecosystem on Twitter. It provides in-depth investigation on inner and outer social relationships. The Article reveal the characteristics of three representative categories of criminal supporters Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis
Gross Niv Analyzing Spammer’s Social Networks for Fun and Profit ChaoYang Robert Harkreader Jialong Zhang Seungwon Shin Guofei Gu Gross Niv Analyzing Spammer’s Social Networks for Fun and Profit A Case Study of Cyber Criminal Ecosystem on Twitter Gross Niv, Ben-Gurion University CS20225921, Advanced Topics in On-Line Social Networks Analysis